Hi guys,
On Sat, Feb 10, 2018 at 06:26:42PM +0100, Mateusz Małek wrote:
> Hi everyone,
>
> I've narrowed down my problem down to the same commit as Tomek Gacek -
> c2aae74f010f97a3415542fe649198a5d3be1ea8 (MEDIUM: ssl: Handle early data
> with OpenSSL 1.1.1), so I guess it may be related. In my case, since upgrade
> to 1.8, some responses from some backends (not sure what exactly triggers
> the bug) do not have their headers modified (despite http-response
> add-header and http-response del-header being set).
>
> Applying patch part-by-part, I got to a point where it seems that that was
> caused by changes to ssl_sock_to_buf function in src/ssl_sock.c (lines
> 396-431):
> https://gist.github.com/mkwm/13dd32fe2b5ec21182f8a06a304228df#file-break-patch-L396-L431
>
> Code at out_error label behave a bit differently from part removed in this
> commit - namely, it sets conn->flags |= CO_FL_ERROR unconditionally, while
> previously there was an additional check (skipping error flag setting if
> errno was set to EAGAIN). My problems went straight away when I've changed
> out_error to match old code.
>
Thanks a lot for the detailed analyze, and sorry for the late answer.
You're probably right, SSL_ERROR_SYSCALL shouldn't be treated as an
unrecoverable error.
So, what you basically did was something equivalent to the patch attached ?
Thanks a lot !
Olivier
>From b423f94273be2c7040ce0861bd4a21617b4c5c2b Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouch...@haproxy.com>
Date: Tue, 13 Feb 2018 15:17:23 +0100
Subject: [PATCH] MINOR/BUG: ssl: Don't always treat SSL_ERROR_SYSCALL as
unrecovarable.
SSL_Raad() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL,
without meaning the connection is gone. Before flagging the conection
as in error, check the errno value.
This should be backported to 1.8.
---
src/ssl_sock.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index aee3cd965..687133b0d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5452,7 +5452,9 @@ static int ssl_sock_to_buf(struct connection *conn,
struct buffer *buf, int coun
ssl_sock_dump_errors(conn);
ERR_clear_error();
- conn->flags |= CO_FL_ERROR;
+ if ((ret != SSL_ERROR_SYSCALL) ||
+ (errno && errno != EAGAIN))
+ conn->flags |= CO_FL_ERROR;
goto leave;
}
--
2.14.3
